This project has moved. For the latest updates, please go here.

Active Directory Groups not being resolved

Sep 5, 2013 at 11:07 PM
Hello Yvand,

The solution you provided works great. Thank you!! But for some reason the Active Directory groups are not being resolved, am I missing something here?
Coordinator
Sep 6, 2013 at 11:06 AM
hello,
what claim type did you choose for the groups when you created the SharePoint trust (with New-SPTrustedIdentityTokenIssuer cmdlet)?
By default LDAPCP assumes it is http://schemas.microsoft.com/ws/2008/06/identity/claims/role. If it's another one, you need to change it in LDAPCP admin pages (in central administration > Security tab)
cheers,
Yvan
Sep 6, 2013 at 7:05 PM
Edited Sep 6, 2013 at 8:10 PM
Hi there,
Can you please let me know how can I verify the right claim type for groups? Sorry for my ignorance here.

I am able to see the groups (Role) ADGroup1, (Role) ADGroup2, etc.. but when I why grant permissions to the group people within the group still get access denied message.

Thanks,
SV
Coordinator
Sep 12, 2013 at 12:51 PM
hello,

you can run PowerShell cmdlet below to all claim types available in the trust:
(Get-SPTrustedIdentityTokenIssuer).ClaimTypeInformation
By default, LDAPCP uses claim type http://schemas.microsoft.com/ws/2008/06/identity/claims/role for the groups, so if you use another one you need to update LDAPCP config in in LDAPCP admin pages (in central administration > Security tab)

cheers,
Yvan
Apr 28, 2014 at 11:49 PM
Hi,

I can already see that we are using correct claim type as shown below, but still get access denied for users belonging to a AD Group:

DisplayName : Role
InputClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/role
MappedClaimType : http://schemas.microsoft.com/ws/2008/06/identity/claims/role
IsIdentityClaim : False
AcceptOnlyKnownClaimValues : False
ClaimValueModificationAction : None
ClaimValueModificationArgument :
KnownClaimValues : {}
UpgradedPersistedProperties :

"
At present I am mulling option to try out attribute "Token-Groups – Qualified Domain Name" and Token-Groups – "Qualified Long Domain Name" as opposed to "Token-Groups – Unqualified Names" at ADFS end, not sure though about results and hence seeking help.

Thanks in advance.

Ashish Malhotra
Coordinator
May 13, 2014 at 3:09 PM
hello,
sorry for my late reply.
LDAP queries will always return results that will match "Token-Groups – Unqualified Names".
LDAPCP supports "Token-Groups – Qualified Domain Name" but it requires a developer to inherit base class to configure this. There is an example of this configuration in paclage "LDAPCP for Developers"
cheers,
Yvan
Jun 25, 2014 at 4:13 PM
Yvand wrote:
hello,
sorry for my late reply.
LDAP queries will always return results that will match "Token-Groups – Unqualified Names".
LDAPCP supports "Token-Groups – Qualified Domain Name" but it requires a developer to inherit base class to configure this. There is an example of this configuration in paclage "LDAPCP for Developers"
cheers,
Yvan
Yvand,

Can you elaborate on the above response? We have a bunch of different domains that AD Groups are in and some actually share the same name between domains; ad/cool users, and hsc/cool users. I need to differentiate between the two.

I have set the claim mapping for Token-Groups – Qualified Domain Name, but need the people picker to show (ad\cool users and hsc\cool users) so that people can differentiate between the two domains.

I couldn't find an example of how to support this in the LDAPCP for Developers download you mentioned.

Any help would be appreciated.

Thanks,

John
Coordinator
Jul 1, 2014 at 11:31 AM
hello John and sorry for my late reply.
your scenario is possible but not easy to implement in current version. It will be easier in the next one that will be released soon (but this scenario will still require custom code).
cheers,
Yvan
Jul 7, 2014 at 7:19 AM
Yvand wrote:
hello John and sorry for my late reply.
your scenario is possible but not easy to implement in current version. It will be easier in the next one that will be released soon (but this scenario will still require custom code).
cheers,
Yvan
Yvan,

Thanks for the response. We're looking at an Aug 11 go-live in Production. Do you have an ETA on this? Or is it possible to use Token Group - SID as the claim identifier and have it display and resolve with "ad\cool users" or "hsc\cool users"?

Thanks,

John
Coordinator
Jul 8, 2014 at 12:39 PM
hello John,
I published a new version today that makes your scenario a lot easier to implement, but I didn't have the time to create a custom sample to address your scenario.
I don't know when I can make this sample but I'll try to do it soon.
cheers,
Yvan
Jul 14, 2014 at 6:57 PM
Yvand wrote:
hello John,
I published a new version today that makes your scenario a lot easier to implement, but I didn't have the time to create a custom sample to address your scenario.
I don't know when I can make this sample but I'll try to do it soon.
cheers,
Yvan
Thanks a ton! I'll watch for the sample as I head in to my Aug. 11th deadline.
Coordinator
Jul 18, 2014 at 8:42 AM
hello,
finally I publised a new version with 2 new overridable methods to make your scenario even easier to implement.
I also created a sample (see class LDAPCP_CustomResolution in LDAPCP for Developers) to demonstrate how to implement it.
Please take a look and let me know if that fits your needs.
Cheers,
Yvan